Policy-Based Routing Lab
Objectives:
Your organization is implementing a dual ISP setup should be tightly controlled. They have requested the following parameters:
- Client1 surfs the Internet all day doing nothing productive. All traffic from this client should route out ISP2, which is a slower Internet connection. If ISP2 is down, Client1 should not be able to access the Internet.
- Client2 handles sophisticated transactions. Both Telnet and HTTPS traffic should route towards ISP1, which is the more reliable connection. All other traffic from Client2 should route out ISP2.
- Traffic from other clients (not shown in this diagram) should route out ISP2.
- Traffic originating from the PolicyRouter should prefer ISP1 but should fail over to ISP2 should ISP1 be unavailable. Verify ISP1 is available using proactive testing techniques.
Testing:
1. Telnet from Client1 to ISP2 (201.1.1.2). The telnet session should connect to the ISP router; likewise, you should be able to verify traffic by using the show route-map command on the PolicyRouter. You can also verify by traffic by viewing the logging buffer on ISP2. Performing a telnet session to ISP1 (200.1.1.2) should fail (simply because ISP1 and ISP2 have no knowledge of each other).
2. Telnet from Client2 to ISP1 (200.1.1.2) using TCP port 23 and 443 (telnet 200.1.1.2 443). Both sessions should connect. You can validate the path used through the same process as Client1. Telnet to ISP2 using TCP port 80 (telnet 201.1.1.2) to validate alternate path routing. Telnetting to ISP2 using port 23 or 443 should fail (since traffic will be policy routed to ISP1 who has no knowledge of ISP2).
3. To test traffic originating from the router, issue pings to ISP1 (these should succeed), then ping ISP2 (these should fail). Verify that ISP1 received the packets by viewing the logging buffer. Shut down the interface to ISP1 and then ping ISP2; the pings should succeed.
Lets match all traffic from client 1 as per the first objective:
PolicyRouter(config)#ip access-list ext CLIENT1
PolicyRouter(config-ext-nacl)#permit ip host 192.168.1.20 any
PolicyRouter(config-ext-nacl)#exit
Done, lets get the route-map setup which will use the ACL above.
PolicyRouter(config)#route-map POLICY 10
PolicyRouter(config-route-map)#match ip address CLIENT1
PolicyRouter(config-route-map)#set ip next-hop 201.1.1.2
PolicyRouter(config-route-map)#do show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): CLIENT1
Set clauses:
ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
So Our route-map will match all traffic from client1 (192.168.1.20) and set its next hop address to ISP2, that is the the first task complete (although we still need to apply it)
PolicyRouter(config)#ip access-list ext CLIENT2
PolicyRouter(config-ext-nacl)#permit tcp host 192.168.1.21 any eq 23
PolicyRouter(config-ext-nacl)#permit tcp host 192.168.1.21 any eq 443
PolicyRouter(config)#route-map POLICY 20
PolicyRouter(config-route-map)#match ip address CLIENT2
PolicyRouter(config-route-map)#set ip next-hop 200.1.1.2
PolicyRouter(config-route-map)#
PolicyRouter#conf t
*Mar 1 00:38:11.263: %SYS-5-CONFIG_I: Configured from console by console
PolicyRouter#show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): CLIENT1
Set clauses:
ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
route-map POLICY, permit, sequence 20
Match clauses:
ip address (access-lists): CLIENT2
Set clauses:
ip next-hop 200.1.1.2
Policy routing matches: 0 packets, 0 bytes
Right, so as per the next objective, we have created a new ACL, which will match telnet and https traffic from client2 (192.168.1.21) and set it to route to ISP1, now to make all other traffic from client 2 to route out to ISP2;
PolicyRouter(config)#route-map POLICY permit 30
PolicyRouter(config-route-map)#set ip ne
PolicyRouter(config-route-map)#set ip next-hop 201.1.1.2
PolicyRouter(config-route-map)#exit
PolicyRouter(config)#do show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): CLIENT1
Set clauses:
ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
route-map POLICY, permit, sequence 20
Match clauses:
ip address (access-lists): CLIENT2
Set clauses:
ip next-hop 200.1.1.2
Policy routing matches: 0 packets, 0 bytes
route-map POLICY, permit, sequence 30
Match clauses:
Set clauses:
ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
With this next step in the policy, we can complete the task2 and task3, as we did not set a "match ip address" so this will MATCH EVERYTHING.
Which accomplishes the tasks requried.
If any other traffic other than telnet and https is sent to the router it will not match sequence 20 and will be caught in the catch all of statement 30 :0)
Lets apply the route-map
PolicyRouter(config)#inter fa0/0
PolicyRouter(config-if)#ip policy route-map POLICY
PolicyRouter#show ip policy
Interface Route map
Fa0/0 POLICY
Lets test, So we should be able to telnet from Client1 to ISP2 (201.1.1.2) - as all traffic should route to ISP2
Client1#telnet 201.1.1.2
Trying 201.1.1.2 ... Open
User Access Verification
Password:
Sure enough, we connect succesfully, lets also try and connect to ISP 1 (200.1.1..2)
Client1#telnet 200.1.1.2
Trying 200.1.1.2 ...
% Destination unreachable; gateway or host down
We have matches on sequence 10, it fails because it is going out to ISP2, and this router knows nothing about ISP1!
PolicyRouter#show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): CLIENT1
Set clauses:
ip next-hop 201.1.1.2
Policy routing matches: 21 packets, 1266 bytes
the ACL loggin on ISP2 confirms the packets:
*Mar 1 00:58:48.963: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 201.1.1.2(0), 1 packet
ISP2#
*Mar 1 01:01:43.163: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 200.1.1.2(0), 1 packet
ISP2#
*Mar 1 01:04:05.011: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 201.1.1.2(0), 12 packets
ISP2#
*Mar 1 01:07:05.015: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 200.1.1.2(0), 8 packets
ISP2#
*Mar 1 01:10:05.015: %SEC-6-IPACCESSLOGP: list log permitted tcp 192.168.1.20(0) -> 201.1.1.2(0), 10 packets
ISP2#
Now lets test Client 2:
Client2#telnet 200.1.1.2
Trying 200.1.1.2 ... Open
Password required, but none set
[Connection to 200.1.1.2 closed by foreign host]
So this works as expected and the policy maps confirms this:
PolicyRouter#show route-map POLICY
route-map POLICY, permit, sequence 10
Match clauses:
ip address (access-lists): CLIENT1
Set clauses:
ip next-hop 201.1.1.2
Policy routing matches: 37 packets, 2226 bytes
route-map POLICY, permit, sequence 20
Match clauses:
ip address (access-lists): CLIENT2
Set clauses:
ip next-hop 200.1.1.2
Policy routing matches: 10 packets, 606 bytes
lets confirm https access also:
Client2#telnet 200.1.1.2 443
Trying 200.1.1.2, 443 ... Open
[Connection to 200.1.1.2 closed by foreign host]
and we can see the matches on the CLIENT2 ACL being used by the route-map:
PolicyRouter#show access-list CLIENT2
Extended IP access list CLIENT2
10 permit tcp host 192.168.1.21 any eq telnet (10 matches)
20 permit tcp host 192.168.1.21 any eq 443 (12 matches)
Lets see if other traffic from Client2 is routed out to ISP2
Client2#telnet 201.1.1.2 80
Trying 201.1.1.2, 80 ... Open
HTTP/1.1 400 Bad Request
Date: Fri, 01 Mar 2002 01:19:17 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 201.1.1.2 closed by foreign host]
It works:
route-map POLICY, permit, sequence 30
Match clauses:
Set clauses:
ip next-hop 201.1.1.2
Policy routing matches: 54 packets, 3240 bytes
Task4:
We can do this with IP SLA, which can send out probes (could be connecting to a webserver, like on port 80/443 or pinging a host etc, we can configure many probes over x amount of time, and when the availability of that probe comes back as down we can redirect routes elsewhere)
All very koool!
PolicyRouter(config)#ip sla monitor 1
PolicyRouter(config-sla-monitor)#type ?
dhcp DHCP Operation
dns DNS Query Operation
echo Echo Operation
frame-relay Perform frame relay operation
ftp FTP Operation
http HTTP Operation
jitter Jitter Operation
pathEcho Path Discovered Echo Operation
pathJitter Path Discovered Jitter Operation
tcpConnect TCP Connect Operation
udpEcho UDP Echo Operation
voip Voice Over IP measurement
PolicyRouter(config-sla-monitor)#type echo protocol ipIcmpEcho 200.1.1.2
PolicyRouter(config-sla-monitor-echo)#?
IP SLA Monitor echo Configuration Commands:
buckets-of-history-kept Maximum number of history buckets to
collect
default Set a command to its defaults
distributions-of-statistics-kept Maximum number of statistics distribution
buckets to capture
enhanced-history Enable enhanced history collection
exit Exit probe configuration
filter-for-history Add operation to History when...
frequency Frequency of an operation
hours-of-statistics-kept Maximum number of statistics hour groups to
capture
lives-of-history-kept Maximum number of history lives to collect
no Negate a command or set its defaults
owner Owner of Entry
request-data-size Request data size
statistics-distribution-interval Statistics distribution interval size
tag User defined tag
threshold Operation threshold in milliseconds
timeout Timeout of an operation
tos Type Of Service
verify-data Verify data
vrf Configure IP SLA Monitor for a VPN
Routing/Forwarding instance
PolicyRouter(config-sla-monitor-echo)#timeout 1000
PolicyRouter(config-sla-monitor-echo)#frequency 3
PolicyRouter(config-sla-monitor-echo)#exit
now we need to attach them and schedual them (most monitoring tools can monitor this SLA's tpp)
PolicyRouter(config)#ip sla monitor schedule 1 ?
ageout How long to keep this Entry when inactive
life Length of time to execute in seconds
recurring Probe to be scheduled automatically every day
start-time When to start this entry
<cr>
PolicyRouter(config)#ip sla monitor schedule 1 start-time now life forever
PolicyRouter(config)#track 1 ?
interface Select an interface to track
ip IP protocol
list Group objects in a list
rtr Response Time Reporter (RTR) entry
rtr is actually the old name, it looks like they have not correct the name to SLA lol
PolicyRouter(config)#track 1 inter serial0/0 line-protocol ?
<cr>
look, we can even monitor an interfaces line protocol!!! that could be handy!! anyways ....
PolicyRouter(config)#track 1 rtr 1 ?
reachability Reachability
state Return code state
<cr>
PolicyRouter(config)#track 1 rtr 1 reac
PolicyRouter(config)#track 1 rtr 1 reachability
PolicyRouter(config-track)#?
Tracking instance configuration commands:
default Set a command to its defaults
delay Tracking delay
exit Exit from tracking configuration mode
no Negate a command or set its defaults
We will leave this at the defaults for now, lets create a new route-map to attach this too as this is for the traffic orginating from the router.
PolicyRouter(config)#route-map ROUTER-TRAFFIC permit 10
PolicyRouter(config-route-map)#ip access-list ext ROUTER
PolicyRouter(config-ext-nacl)#permit ip any any
PolicyRouter(config-ext-nacl)#exit
PolicyRouter(config)#route-map ROUTER-TRAFFIC permit 10
PolicyRouter(config-route-map)#match ip address ROUTER
PolicyRouter(config-route-map)#set ip next-hop verify-availability ?
A.B.C.D IP address of next hop
<cr>
PolicyRouter(config-route-map)#set ip next-hop verify-availability 200.1.1.2 ?
<1-65535> Sequence to insert into next-hop list
PolicyRouter(config-route-map)#$-hop verify-availability 200.1.1.2 10 ?
track set the next hop depending on the state of a tracked object
PolicyRouter(config-route-map)#$-hop verify-availability 200.1.1.2 10 tr
PolicyRouter(config-route-map)#$y-availability 200.1.1.2 10 track 1
PolicyRouter(config-route-map)#do show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
ip address (access-lists): ROUTER
Set clauses:
ip next-hop verify-availability 200.1.1.2 10 track 1 [up]
Policy routing matches: 0 packets, 0 bytes
As we can see it is currently tracking ISP 1 as up :0)
PolicyRouter(config-route-map)#set ip next-hop 201.1.1.2
route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
ip address (access-lists): ROUTER
Set clauses:
ip next-hop verify-availability 200.1.1.2 10 track 1 [up]
ip next-hop 201.1.1.2
Policy routing matches: 0 packets, 0 bytes
PolicyRouter#
Lets apply this to the router, to do this we do this globally:
PolicyRouter(config)#ip local policy route-map ROUTER-TRAFFIC
Lets test:
PolicyRouter#ping 200.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/32 ms
PolicyRouter#ping 200.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/16 ms
PolicyRouter#show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
ip address (access-lists): ROUTER
Set clauses:
ip next-hop verify-availability 200.1.1.2 10 track 1 [up]
ip next-hop 201.1.1.2
Policy routing matches: 59 packets, 4496 bytes
Lets see if we can ping ISP2 ... which should fail (as ISP1 is still available):
PolicyRouter#ping 201.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
PolicyRouter#
Lets shut down the interface to ISP and see if we can ping ISP2 (becuase the route-map will then change the next hop ip address to ISP2)
PolicyRouter(config)#inter ser0/0
PolicyRouter(config-if)#shut
PolicyRouter#show route-map ROUTER-TRAFFIC
*Mar 1 01:58:12.051: %SYS-5-CONFIG_I: Configured from console by console
PolicyRouter#show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
ip address (access-lists): ROUTER
Set clauses:
ip next-hop verify-availability 200.1.1.2 10 track 1 [up]
ip next-hop 201.1.1.2
Policy routing matches: 264 packets, 17796 bytes
PolicyRouter#
*Mar 1 01:58:13.819: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down
*Mar 1 01:58:14.819: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
PolicyRouter#
*Mar 1 01:58:14.955: %TRACKING-5-STATE: 1 rtr 1 reachability Up->Down
PolicyRouter#show route-map ROUTER-TRAFFIC
route-map ROUTER-TRAFFIC, permit, sequence 10
Match clauses:
ip address (access-lists): ROUTER
Set clauses:
ip next-hop verify-availability 200.1.1.2 10 track 1 [down]
ip next-hop 201.1.1.2
Policy routing matches: 266 packets, 17924 bytes
PolicyRouter#ping 201.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 201.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/16 ms
PolicyRouter#
SWEEET! how kool is that!!!! Gotta read up some more on IP SLA's ..... kool
No comments:
Post a Comment